blog-contributions/opsec/graphene/index.html
2024-10-03 21:57:20 +02:00

342 lines
13 KiB
HTML

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>How to install GrapheneOS on a Pixel Phone</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">nihilist`s Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-07-10</ba></p>
<h1>How to install GrapheneOS on a Pixel Phone </h1>
<img src="1.png" class="imgRz">
<p>In this tutorial we're going to setup graphene OS, an open source android operating system for google pixel phones. (Yes google phones, if you don't like it then you'll have to wait for functional <a href="../openhardware/index.html">open hardware</a> alternatives to arrive on the market.) Currently GrapheneOS is one of the most privacy-focused mobile operating systems given that it's fully <a href="https://grapheneos.org/source">open source</a>. and that they refuse to implement google services by default, unlike their competitors like LineageOS.</p>
<p><u>DISCLAIMER:</u> yes the quality of the photos taken are garbage :)</p>
<p><h2><u>OPSEC Recommendations:</u></h2></p>
<ol>
<li><p>Hardware : (Phone (google Pixel model))</p></li>
</ol>
<p>I recommend using this setup for <a href="../privacy/index.html">Private use</a>, as per the <a href="../opsec4levels/index.html">4 basic OPSEC levels</a>.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Requirements </b></h2>
<p>First step is go acquire a Google pixel phone, and a model <a href="https://grapheneos.org/faq#supported-devices">that supports grapheneOS</a>. In my case, i purchased a Pixel 6 model. Then on the host OS on your computer, install the required packages:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/11 ] [~]
→ sudo pacman -Syy android-tools
[sudo] password for nihilist:
resolving dependencies...
looking for conflicting packages...
Packages (4) android-udev-20240221-1 libmtp-1.1.21-1 protobuf-25.3-4
android-tools-35.0.1-1
Total Download Size: 4.84 MiB
Total Installed Size: 22.07 MiB
:: Proceed with installation? [Y/n] y
</code></pre>
<p>Here on the phone, we need to enable developer settings, to be able to enable the "OEM Unlocking" option:</p>
<img src="3.png" class="imgRz">
<img src="4.png" class="imgRz">
<img src="5.png" class="imgRz">
<img src="6.png" class="imgRz">
<img src="7.png" class="imgRz">
<p>Then reboot the phone by holding the power and volume down to enter fastboot mode:</p>
<img src="8.png" class="imgRz">
<p>Then, connect the device via usb to your computer:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/11 ] [~]
→ lsusb | grep Google
Bus 001 Device 098: ID 18d1:4ee0 Google Inc. Nexus/Pixel Device (fastboot)
[ nowhere ] [ /dev/pts/11 ] [~]
→ fastboot --version
fastboot version 35.0.1-android-tools
Installed as /usr/bin/fastboot
[ nowhere ] [ /dev/pts/11 ] [~]
→ fastboot devices
no permissions; see [http://developer.android.com/tools/device.html] fastboot
[ nowhere ] [ /dev/pts/11 ] [~]
→ sudo -i
nowhere# fastboot devices
1C21FGJH6993LC fastboot
nowhere# fastboot flashing unlock
OKAY [ 0.043s]
Finished. Total time: 0.043s
</code></pre>
<img src="9.png" class="imgRz">
<img src="10.png" class="imgRz">
<img src="11.png" class="imgRz">
<p>Next, as i have a google pixel 6 model, i need to download the correct graphene os image</p>
<img src="2.png" class="imgRz">
<pre><code class="nim">
nowhere# mv /home/nihilist/Downloads/oriole-factory-2024070201.zip .
nowhere# unzip oriole-factory-2024070201.zip
Archive: oriole-factory-2024070201.zip
creating: oriole-factory-2024070201/
extracting: oriole-factory-2024070201/image-oriole-2024070201.zip
inflating: oriole-factory-2024070201/bootloader-oriole-slider-14.5-11677881.img
inflating: oriole-factory-2024070201/radio-oriole-g5123b-135085-240517-b-11857288.img
extracting: oriole-factory-2024070201/avb_pkmd.bin
inflating: oriole-factory-2024070201/flash-all.sh
inflating: oriole-factory-2024070201/flash-all.bat
nowhere# cd oriole-factory-2024070201
nowhere# ls
avb_pkmd.bin flash-all.sh
bootloader-oriole-slider-14.5-11677881.img image-oriole-2024070201.zip
flash-all.bat radio-oriole-g5123b-135085-240517-b-11857288.img
nowhere# chmod +x ./flash-all.sh
nowhere# ./flash-all.sh
</code></pre>
<p>Then let the bashscript run, it can take a few minutes:</p>
<pre><code class="nim">
nowhere# ./flash-all.sh
Warning: skip copying bootloader_a image avb footer (bootloader_a partition size: 0, bootloader_a image size: 14125140).
Sending 'bootloader_a' (13794 KB) OKAY [ 0.364s]
Writing 'bootloader_a' (bootloader) Flashing pack version slider-14.5-11677881
(bootloader) flashing platform gs101
(bootloader) Validating partition ufs
(bootloader) Validating partition partition:0
(bootloader) Validating partition partition:1
(bootloader) Validating partition partition:2
(bootloader) Validating partition partition:3
(bootloader) Validating partition bl1_a
(bootloader) Validating partition pbl_a
(bootloader) Validating partition bl2_a
(bootloader) Validating partition abl_a
(bootloader) Validating partition bl31_a
(bootloader) Validating partition tzsw_a
(bootloader) Validating partition gsa_a
(bootloader) Validating partition ldfw_a
(bootloader) Flashing partition ufs
(bootloader) Flashing partition partition:0
(bootloader) Flashing partition partition:1
(bootloader) Flashing partition partition:2
(bootloader) Flashing partition partition:3
(bootloader) Flashing partition bl1_a
(bootloader) Flashing partition pbl_a
(bootloader) Flashing partition bl2_a
(bootloader) Flashing partition abl_a
(bootloader) Flashing partition bl31_a
(bootloader) Flashing partition tzsw_a
(bootloader) Flashing partition gsa_a
(bootloader) Flashing partition ldfw_a
(bootloader) Loading sideload ufsfwupdate
OKAY [ 3.089s]
Finished. Total time: 3.454s
Setting current slot to 'a' OKAY [ 0.058s]
Finished. Total time: 0.059s
Rebooting into bootloader OKAY [ 0.000s]
[...]
Sending sparse 'super' 11/13 (254972 KB) OKAY [ 6.618s]
Writing 'super' OKAY [ 0.950s]
Sending sparse 'super' 12/13 (254972 KB) OKAY [ 6.621s]
Writing 'super' OKAY [ 0.935s]
Sending sparse 'super' 13/13 (46284 KB) OKAY [ 1.216s]
Writing 'super' OKAY [ 0.204s]
Erasing 'userdata' OKAY [ 0.390s]
Erase successful, but not automatically formatting.
File system type raw not supported.
wipe task partition not found: cache
Erasing 'metadata' OKAY [ 0.007s]
Erase successful, but not automatically formatting.
File system type raw not supported.
Finished. Total time: 105.929s
Rebooting into bootloader OKAY [ 0.000s]
Finished. Total time: 0.150s
nowhere#
</code></pre>
<img src="12.png" class="imgRz">
<img src="13.png" class="imgRz">
<img src="14.png" class="imgRz">
<p>then lock the bootloader:</p>
<pre><code class="nim">
nowhere# fastboot devices
1C21FGJH6993LC fastboot
nowhere# fastboot flashing lock
OKAY [ 0.276s]
Finished. Total time: 0.276s
</code></pre>
<img src="15.png" class="imgRz">
<img src="16.png" class="imgRz">
<img src="17.png" class="imgRz">
<img src="18.png" class="imgRz">
<img src="19.png" class="imgRz">
<img src="20.png" class="imgRz">
<img src="21.png" class="imgRz">
<p>And that's it! we managed to flash grapheneOS on the pixel phone.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Setting up multiple Profiles (for Public, and for Private use)</b></h2> </br> </br>
<p>As we have seen <a href="../internetsegmentation/index.html">previously</a>, it's always a good opsec practice to separate public use from private use. This can also apply on your phone, In this case we'll create a profile specifically for public usage, while we keep the main one for private usage.</p>
<img src="22.png" class="imgRz">
<img src="23.png" class="imgRz">
<img src="24.png" class="imgRz">
<p>Now in there, we can keep the closed-source applications in the public usage profile, while we keep the FOSS applications in the default private usage profile. </p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Setting up package managers</b></h2> </br> </br>
<p>Now that's done, we use the private usage profile to install f-droid, in order to install FOSS applications</p>
<img src="25.png" class="imgRz">
<img src="32.png" class="imgRz">
<img src="33.png" class="imgRz">
<img src="34.png" class="imgRz">
<p>And here we can go into our public usage profile to setup the Aurora store to install closed-source applications like so:</p>
<img src="41.png" class="imgRz">
<img src="42.png" class="imgRz">
<img src="26.png" class="imgRz">
<img src="27.png" class="imgRz">
<img src="28.png" class="imgRz">
<img src="29.png" class="imgRz">
<img src="31.png" class="imgRz">
<p>And from there, we can install all non-FOSS applications in the public usage profile.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>